Full Report
February’s report on Microsoft patches includes 56 vulnerabilities, two of which are zero-day flaws that have been exploited.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities Patched in February Updates (Focus on Exploited Flaws)
## CVE Details
- CVE ID: CVE-2025-21391, CVE-2025-21418, CVE-2025-21198, CVE-2025-21377, CVE-2025-21381 (and others)
- CVSS Score: 7.1 (CVE-2025-21391), 7.x range (CVE-2025-21418), 9.0 (CVE-2025-21198)
- CWE: Insufficient validation of user-supplied input (for exploitation mechanism in CVE-2025-21418).
## Affected Systems
- Products: Windows (General), Windows Storage component, Windows Ancillary Function Driver for WinSock (AFD), Linux agent in High Performance Computing (HPC) clusters, Microsoft Excel, Microsoft Surface Hardware, Google Chrome, Microsoft Edge, Adobe products (InDesign, Photoshop Elements, Illustrator).
- Versions: Not explicitly detailed in the summary for all CVEs, but generally affecting current Windows client/server versions receiving fixes.
- Configurations:
* CVE-2025-21198: Requires attacker to already have access to the network the HPC cluster is attached to.
* CVE-2025-21377: Affects Windows systems not exclusively relying on Kerberos for authentication.
## Vulnerability Description
The report details several vulnerabilities, with two noted as being actively exploited:
1. **CVE-2025-21391 (Windows Storage Flaw):** Stems from how Windows resolves file paths and follows links. This can allow a threat actor to delete files and potentially lead to privilege escalation, unwanted access to security logs/configurations, malware injection, or data manipulation.
2. **CVE-2025-21418 (Windows AFD for WinSock):** A privilege escalation vulnerability caused by insufficient validation of user-supplied input, allowing low-privileged users to send specially crafted data that overflows a buffer.
3. **CVE-2025-21198 (HPC Agent Flaw):** A high-scoring vulnerability (CVSS 9.0) allowing remote attacks against a Linux agent in HPC clusters, though network access is required.
4. **CVE-2025-21377 (Spoofing Bug):** Allows a threat actor to reveal a user’s NTLMv2 hash (NTLM relay/pass-the-hash), enabling identity spoofing. Triggered simply by viewing a file in Explorer.
5. **CVE-2025-21381 (Excel RCE):** Allows for Remote Code Execution within Microsoft Excel, leveraging historical attack vectors via macros/embedded scripts.
## Exploitation
- Status: **Exploited in the wild** (CVE-2025-21391 and CVE-2025-21418). Publicly disclosed (CVE-2025-21377).
- Complexity:
* CVE-2025-21418 & CVE-2025-21391: Implied Low/Medium as no user interaction is required for patching/mitigation of the root issue.
* CVE-2025-21377: Low (viewing a file in Explorer can trigger it).
* CVE-2025-21198: Assumed Medium/High due to network access prerequisite.
- Attack Vector: Varies (Local for privilege escalation, Network for CVE-2025-21198).
## Impact
- Confidentiality: Not affected for CVE-2025-21391 (per scoring). Unknown for others, but RCE/Spoofing generally implies high impact.
- Integrity: **Severe** (CVE-2025-21391). High potential for CVE-2025-21377 (identity spoofing/impersonation).
- Availability: **Severe** (CVE-2025-21391 - file deletion).
## Remediation
### Patches
- Microsoft **February Update** (Includes fixes for all listed Microsoft CVEs, including the zero-days).
- Google **Chrome 131** (Included memory vulnerability patches).
- Apple **iOS 18.3.1** (Includes fix for physical attack vulnerability).
- Adobe updates for InDesign, Photoshop Elements, Illustrator, and others.
### Workarounds
- **CVE-2025-21418:** Patching is critical due to active exploitation; no specific workaround mentioned other than remediation.
- **CVE-2025-21377:** Ensure systems rely primarily or exclusively on Kerberos for authentication if unable to patch immediately (though patching is strongly advised).
- **Browser Updates:** Move browsers (Chrome/Edge) to a weekly Priority Updates cadence rather than standard monthly cycles to reduce exposure time.
## Detection
- **CVE-2025-21377:** Look for evidence of NTLM relay or pass-the-hash activity indicating network credentials theft attempts.
- **General Indicators:** Monitoring for unexpected file deletions or unauthorized privilege escalations on Windows systems related to the storage driver or AFD components.
- **Detection Methods:** Standard patch management tools should flag the missing February updates. Experts recommend heightened monitoring around browsers outside standard patch cycles.
## References
- Vendor Advisory: Microsoft Security Update Guide: msrC.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-21194 (Note: This link appears to refer only to a Surface hardware vulnerability mentioned in passing, not the primary exploited flaws).
- Relevant Links (Defanged):
* usw2.nyl.as/t1/79/amgtoljd8i9rgs0yjw9387uo/3/e763a3860efb620e59bfff5cd418c549b899cb0893fe9d9f593862d32cb9d4eb (For CVE-2025-21391)
* usw2.nyl.as/t1/79/amgtoljd8i9rgs0yjw9387uo/4/8d2520e0b08b107c7c6014852bd820f9f947076de7d002f54f10e5ac2e0225d8 (For CVE-2025-21418)
* usw2.nyl.as/t1/79/amgtoljd8i9rgs0yjw9387uo/7/397f064e1381d5f26e4c8c23b1ba05f567ecc324b27d8c690b7cd0579832c23b (For CVE-2025-21198)
* usw2.nyl.as/t1/79/amgtoljd8i9rgs0yjw9387uo/7/397f064e1381d5f26e4c8c23b1ba05f567ecc324b27d8c690b7cd0579832c23b (For Adobe Updates)